Twitter
« GWT-RPC in a Nutshell | Main | SQL Injection used in Heartland, 7-Eleven and Hannaford Breaches »
Thursday
Aug202009

Adobe Flex 3.3 SDK DOM-Based XSS

I just released an advisory to Bugtraq regarding a DOM-Based XSS bug in the Adobe Flex 3.3 SDK and earlier versions. I notified the vendor back on June 29, 2009 and they released the fix on August 19th. If you would like more information, you can view their security bulletin and their TechNotes.

Overview

Adobe Flex is a software development kit released by Adobe Systems for the development and deployment of cross-platform rich Internet applications based on the Adobe Flash platform. An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was found in the default index.template.html file of the SDK which is a template used by FlexBuilder to generate the wrapper html for all application files in your project. The XSS vulnerability appears to affect all user's that download and utilize this html wrapper. For more information on DOM-based XSS visit OWASP's site.

Technical Details

File: index.template.html

1) Data enters via URL parameters through the window.location javascript object, is then stored into MMredirectURL variable, and passed to the AC_FL_RunContent() function.

Line 59:
..snip..
var MMredirectURL = window.location;
..snip..

Line 63:
AC_FL_RunContent(
..snip..
"FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' MMPlayerType '&MMdoctitle=' MMdoctitle "",
..snip..


2) The MMredirectURL variable with user-controllable input is passed to AC_GetArgs and ultimately to AC_Generateobj, which performs a document.write. Writing the un-validated data to HTML creates the XSS exposure.

File: AC_OETags.js

Line 200:
function AC_FL_RunContent(){
var ret =
AC_GetArgs
( arguments, ".swf", "movie", "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
, "application/x-shockwave-flash"
);
AC_Generateobj(ret.objAttrs, ret.params, ret.embedAttrs);
}


Line 178:
function AC_Generateobj(objAttrs, params, embedAttrs)
{
var str = '';
if (isIE && isWin && !isOpera)
{
str = '<object ';
for (var i in objAttrs)
str = i '="' objAttrs[i] '" ';
str = '>';
for (var i in params)
str = '<param name="' i '" value="' params[i] '" /> ';
str = '</object>';
} else {
str = '<embed ';
for (var i in embedAttrs)
str = i '="' embedAttrs[i] '" ';
str = '> </embed>';
}
document.write(str);
}


NOTE: For the exploit to work, the end user must have installed an older version of Adobe Flash than the value that is set in the Globals variable "requiredMajorVersion" (Line 36).

Proof-of-Concept Exploit

This vulnerability can be exploited against any Flex based application that uses the index.template.html wrapper page containing the code above. In order to exploit this issue, the end user must have Adobe Flash installed, but it must be an older version than the required one set by the application owner (set in Globals variable "requiredMajorVersion").

Reproduction Request:

http://FlexApp/Flex/index.template.html?"/></object><XSS attack string goes here>

Recommendation

Update to Flex 3.4 SDK or view Adobe's TechNotes on how to manually fix the issue.

Reader Comments (1)

I have read a few posts around the subject of security and security audits. this is the only blog post i have found explaining what was found and what was done about it, most simply mention, oh yea btw this is unsecure.

October 7, 2009 | Unregistered Commenterrichard

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.